My long-shot journey to Australia's rarest visa
- Personal
- by Jacob Riggs
- 02-12-2025
I don't mark every milestone publicly, but the moments that mean something do occasionally find their way into my ceremonial practice of an ad hoc blog post.
Today is one of those.
I'm pleased to report I've been granted the Australian 858 visa and now hold immediate and unconditional permanent residency rights in Australia.
For anyone unfamiliar, the 858 is notoriously difficult to obtain. It's invitation-only, involves a rigorous evidence-based assessment process, and is reserved exclusively for "individuals considered to have demonstrated an internationally recognised record of exceptional and outstanding achievement".
Per the official Australian Home Affairs website, this is often demonstrated through globally recognised awards.
With an overall applicant success rate of less than 1%, the published statistics (according to VisaEnvoy) don't exactly inspire confidence in applicants either.
Since the program commenced, more than 9000 Expressions of Interest (EOI) have been submitted, with 304 invitations issued and approximately 85 visas granted.
Cybersecurity doesn't have a trophy equivalent of an Olympic Gold Medal. There's no singular hallmark of excellence you can lean on, so everything comes down to what you've actually done. For me, that meant years of hacking (ethically and legally) into big tech, governments, and academic institutions worldwide, earning large bug bounty payouts, and building a successful career capital through my employment and self-studies.
In the end, the entire process boils down to a lifetime of work distilled into around 60 pages of verifiable evidence and a very slim chance that some panel, somewhere, agrees you've contributed something meaningful to the world.
That evidence ended up being pretty much everything material I could pull together. Not just the professional milestones, but the personal projects I've built, the small businesses I've created, and the various entrepreneurial initiatives I've pursued. In other words, the full unredacted picture (for better or worse).
Admittedly, I've never had a strong academic background to lean on and had to be transparent about this. I barely finished secondary school, so evidence of my education and achievements in that category couldn't rely on the typical "Letter/Statement from an Education Institution" or "Letter/Statement from an Overseas Government" the portal seems to expect from those with academic degrees and research grants etc.
Ironically though, I ended up having an abundance of both anyway. Mostly in the format of formal headed letters of recognition and thanks from top universities and governments around the world, mostly for identifying and responsibly disclosing security vulnerabilities in their systems, some of which I've blogged about here in the past.
Unexpectedly, they were perfect for this sort of application, and with the accreditations from my own self-studies, I'm pleased to report I ended up hitting the attachment limit.
Of course, summarising every past notable achievement in my application is one thing. Showing that work still matters in practice is another. Given the bar the 858 sets, it became clear during the application process that I should also make efforts to show the current value in my capabilities, especially given my role these days sits somewhere between the hands-on hacking I started with and the broader leadership responsibilities that followed.
With my application still sitting in the review queue and the portal continuing to accept changes to evidence, I decided to start looking at the Australian government's attack surface for vulnerabilities (go figure).
This wasn't easy. In truth, finding the time for any of this was its own challenge. The past couple of years have been almost entirely consumed by the demands of my employment, which I've found incredibly testing, and is the main reason I haven't written anything here for so long. It also became clear to me quite early into my recon efforts that much of the Australian government infrastructure is well hardened, though this of course only piqued my interest more (go figure).
Eventually I landed on the Australian Department of Foreign Affairs and Trade (DFAT) and noticed they had a Vulnerability Disclosure Policy in place. Given the permissible scope, I decided to focus my efforts there and, after a few hours, managed to identify an exploitable critical severity vulnerability, then duly reported this to DFAT via their defined process.
Shortly thereafter, one of their Directors (who handled the issue superbly I might add), emailed me directly, expressing praise and gratitude:
DFAT later added my name to their website for recognition.
I can't say how much this tiny additional evidence influenced the outcome of my 858 application (if at all), but I'd like to think it helped demonstrate, in a small and perhaps practical way, that I'm capable and committed to supporting Australia's cybersecurity interests.
Whatever part it played, the journey led here.
I've had my sights set on a future in Australia most of my adult life. Over the years its quality of life index has continued to consistently outperform many western countries by a large margin, and compared to the UK, it offers a noticably higher standard of living (particularly between London and Sydney).
Better weather, healthcare, cleaner environments, more robust economic growth forecasts, lower crime rates, and safer cities that regularly rank among the most liveable in the world. People seem happier - which shows, and there's a cultural emphasis on actually having a life outside of work.
All of it made this journey feel inevitable.
And now, without shortcuts or sponsorship, I'm fortunate enough to be able to call Australia home.
If there's anything I've learned on this journey, it's that the biggest outcomes are often built from small, unremarkable choices. Typically those made quietly and repeated over an extended period of time, usually without fanfare (and in my case without much sleep). In moments like this, I firmly believe it's the ability to demonstrate that consistency which helps set you apart from others.
Unsurprisingly, the application process mirrored that pace. From the first draft of my EOI to the invitation, submission, and final grant, the entire process took about 7–8 months end-to-end.
This was a much faster decision turnaround than indicated from the few reports I was able to find online, but still a long waiting game. Against many of the online advisories, I also opted to gamble on completing the entire process myself, rather than use an agent or immigration lawyer. Very on-brand for me, but a personal choice, and one that ended up working in my favour.
I don't have a clever closing line for anyone following the same path. If the 858 asks for anything, it's evidence that your efforts to master yourself have meant something. You need to identify what you want and be solely accountable in your commitment (as well as your failures) towards meeting that goal unreservedly. You're owed nothing and nobody is coming to save you, so focus inward. Distance yourself from idle excuse-makers who expect you to do their thinking for them, and avoid those drawn to passivity and doubt.
Most importantly, stay disciplined, stop being such a pussy, and keep moving in the only direction that matters - forward.
If you're pursuing the 858 and this post helps you make it the same way I did, let me know. Perhaps we can grab a coffee and I'll remind you who to thank for it.
You.
ABOUT THE AUTHOR
